WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Product Price History for WooCommerce | 42 | 101 | 800 | Nonce verification recommended | |||
| #2752 | Proxy & VPN Blocker | 42 | 10 | 72 | 1k+ | Nonce verification recommended | ||
| #2753 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #2754 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #2755 | Reusable Blocks Extended | 42 | 38 | 15 | 20k+ | Output is not escaped | ||
| #2756 | Secure Passkeys | 42 | 146 | 76 | 1k+ | Exception output is not escaped | ||
| #2757 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #2758 | Set All First Images As Featured | 42 | 44 | 13 | 700 | Text Domain Mismatch | ||
| #2759 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #2760 | Speed Contact Bar | 42 | 53 | 20 | 5k+ | Output is not escaped | ||
| #2761 | Starter Sites | 42 | 62 | 25 | 1k+ | Output is not escaped | ||
| #2762 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | ||
| #2763 | Ultimate Category Excluder | 42 | 22 | 26 | 50k+ | Missing nonce verification | ||
| #2764 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 9k+ | Non-prefixed global variable | ||
| #2765 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch | ||
| #2766 | WC Price History | 42 | 18 | 21 | 4k+ | Database parameter is not escaped | ||
| #2767 | Auto Coupons for WooCommerce | 42 | 81 | 68 | 4k+ | Output is not escaped | ||
| #2768 | WPC Order Notes for WooCommerce | 42 | 24 | 41 | 900 | Output is not escaped | ||
| #2769 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #2770 | WP Before After Image Slider – Interactive Image and Video Comparison Plugin for WordPress | 42 | 112 | 17 | 1k+ | Text Domain Mismatch | ||
| #2771 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #2772 | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | 42 | 2,583 | 1,823 | 10k+ | Text Domain Mismatch | ||
| #2773 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query | ||
| #2774 | WP Post Redirect | 42 | 29 | 17 | 3k+ | Unsafe printing function | ||
| #2775 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 1k+ | Missing Version | ||
| #2776 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #2777 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #2778 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #2779 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #2780 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #2781 | Hash Form – Drag & Drop Form Builder | 43 | 9 | 273 | 3k+ | Non-prefixed global variable | ||
| #2782 | Pods Gravity Forms Add-On | 43 | 79 | 1k+ | Missing nonce verification | |||
| #2783 | Post title marquee scroll | 43 | 43 | 25 | 1k+ | Output is not escaped | ||
| #2784 | Qodax Checkout Manager – Checkout Field Editor for WooCommerce | 43 | 17 | 27 | 400 | Interpolated SQL is not prepared | ||
| #2785 | SQL Chart Builder | 43 | 12 | 39 | 600 | Non-prefixed global variable | ||
| #2786 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #2787 | Terms Order WP – Categories And Taxonomies Order Plugin | 43 | 12 | 47 | 900 | Non-prefixed global variable | ||
| #2788 | Uber reCaptcha | 43 | 129 | 45 | 1k+ | Text Domain Mismatch | ||
| #2789 | Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory | 43 | 15 | 102 | 400 | Non-prefixed namespace | ||
| #2790 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #2791 | User Session Control | 43 | 31 | 21 | 700 | Output is not escaped | ||
| #2792 | utm.codes | 43 | 34 | 33 | 400 | Missing nonce verification | ||
| #2793 | VA Simple Expires | 43 | 25 | 31 | 800 | Output is not escaped | ||
| #2794 | Checkout Field Manager (Checkout Manager) for WooCommerce | 43 | 161 | 154 | 90k+ | Non-prefixed global variable | ||
| #2795 | WP Hotel Booking WPML Support | 43 | 10 | 52 | 400 | Direct Query | ||
| #2796 | WP Mail Log | 43 | 40 | 29 | 10k+ | Text Domain Mismatch | ||
| #2797 | Creative Addons for Elementor | 44 | 63 | 100 | 800 | Missing Arg Domain | ||
| #2798 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #2799 | ELEX WooCommerce Role Based Pricing | 44 | 213 | 196 | 2k+ | Non-prefixed global variable | ||
| #2800 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable |